sality | 049d6dd08066d6211bcd8e00da13b1ca0da714c7b87be0f57c7063a9c8fd8a07

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

049d6dd08066d6211bcd8e00da13b1ca0da714c7b87be0f57c7063a9c8fd8a07_NeikiAnalytics.dll
Size

120KB
MD5

97ada4209c9c8a97d5a542cdecf2b030
SHA1

f1770c8bfe50c519c02a1965dcf35fe95ad15e03
SHA256

049d6dd08066d6211bcd8e00da13b1ca0da714c7b87be0f57c7063a9c8fd8a07
SHA512

e87fd74a070b25bcdd1f94a7b0b52680b5639bc73d2c7f3a9fb41a5e2bd6f46072fc600139979091d352fa35648d7e37f895b830207d13b6dba887c363b5b84e
SSDEEP

3072:hW+qFgLzqd+DwhylXSDzlg9Pk1Y4iuoycm:hWLgLi+DwrHlg9s1YnOt

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f7613cf.exef762f4a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f762f4a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f762f4a.exef7613cf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7613cf.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7613cf.exef762f4a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762f4a.exe

Executes dropped EXE 3 IoCs

Processes:

f7613cf.exef7615a3.exef762f4a.exe

pid process

768 f7613cf.exe
2684 f7615a3.exe
2776 f762f4a.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

1696 rundll32.exe
1696 rundll32.exe
1696 rundll32.exe
1696 rundll32.exe
1696 rundll32.exe
1696 rundll32.exe

pid	process
768	f7613cf.exe
2684	f7615a3.exe
2776	f762f4a.exe

pid	process
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/768-12-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-14-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-21-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-19-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-18-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-15-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-20-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-22-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-17-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-16-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-59-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-60-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-61-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-78-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-77-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-98-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-99-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-100-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-101-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-105-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-106-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/768-143-0x00000000006C0000-0x000000000177A000-memory.dmp	upx
behavioral1/memory/2776-164-0x0000000000920000-0x00000000019DA000-memory.dmp	upx
behavioral1/memory/2776-198-0x0000000000920000-0x00000000019DA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7613cf.exef762f4a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762f4a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7613cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762f4a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7613cf.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7613cf.exef762f4a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762f4a.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7613cf.exef762f4a.exe

description	ioc	process
File opened (read-only)	\??\H:	f7613cf.exe
File opened (read-only)	\??\J:	f7613cf.exe
File opened (read-only)	\??\M:	f7613cf.exe
File opened (read-only)	\??\E:	f762f4a.exe
File opened (read-only)	\??\G:	f762f4a.exe
File opened (read-only)	\??\E:	f7613cf.exe
File opened (read-only)	\??\G:	f7613cf.exe
File opened (read-only)	\??\I:	f7613cf.exe
File opened (read-only)	\??\K:	f7613cf.exe
File opened (read-only)	\??\L:	f7613cf.exe
File opened (read-only)	\??\N:	f7613cf.exe

Drops file in Windows directory 3 IoCs

Processes:

f7613cf.exef762f4a.exe

description ioc process

File created C:\Windows\f76147a f7613cf.exe
File opened for modification C:\Windows\SYSTEM.INI f7613cf.exe
File created C:\Windows\f7664bc f762f4a.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f7613cf.exef762f4a.exe

pid process

768 f7613cf.exe
768 f7613cf.exe
2776 f762f4a.exe

description	ioc	process
File created	C:\Windows\f76147a	f7613cf.exe
File opened for modification	C:\Windows\SYSTEM.INI	f7613cf.exe
File created	C:\Windows\f7664bc	f762f4a.exe

pid	process
768	f7613cf.exe
768	f7613cf.exe
2776	f762f4a.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f7613cf.exef762f4a.exe

description	pid	process
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	768	f7613cf.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe
Token: SeDebugPrivilege	2776	f762f4a.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef7613cf.exef762f4a.exe

description	pid	process	target process
PID 2292 wrote to memory of 1696	2292	rundll32.exe	rundll32.exe
PID 2292 wrote to memory of 1696	2292	rundll32.exe	rundll32.exe
PID 2292 wrote to memory of 1696	2292	rundll32.exe	rundll32.exe
PID 2292 wrote to memory of 1696	2292	rundll32.exe	rundll32.exe
PID 2292 wrote to memory of 1696	2292	rundll32.exe	rundll32.exe
PID 2292 wrote to memory of 1696	2292	rundll32.exe	rundll32.exe
PID 2292 wrote to memory of 1696	2292	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 768	1696	rundll32.exe	f7613cf.exe
PID 1696 wrote to memory of 768	1696	rundll32.exe	f7613cf.exe
PID 1696 wrote to memory of 768	1696	rundll32.exe	f7613cf.exe
PID 1696 wrote to memory of 768	1696	rundll32.exe	f7613cf.exe
PID 768 wrote to memory of 1288	768	f7613cf.exe	taskhost.exe
PID 768 wrote to memory of 1352	768	f7613cf.exe	Dwm.exe
PID 768 wrote to memory of 1380	768	f7613cf.exe	Explorer.EXE
PID 768 wrote to memory of 2208	768	f7613cf.exe	DllHost.exe
PID 768 wrote to memory of 2292	768	f7613cf.exe	rundll32.exe
PID 768 wrote to memory of 1696	768	f7613cf.exe	rundll32.exe
PID 768 wrote to memory of 1696	768	f7613cf.exe	rundll32.exe
PID 1696 wrote to memory of 2684	1696	rundll32.exe	f7615a3.exe
PID 1696 wrote to memory of 2684	1696	rundll32.exe	f7615a3.exe
PID 1696 wrote to memory of 2684	1696	rundll32.exe	f7615a3.exe
PID 1696 wrote to memory of 2684	1696	rundll32.exe	f7615a3.exe
PID 1696 wrote to memory of 2776	1696	rundll32.exe	f762f4a.exe
PID 1696 wrote to memory of 2776	1696	rundll32.exe	f762f4a.exe
PID 1696 wrote to memory of 2776	1696	rundll32.exe	f762f4a.exe
PID 1696 wrote to memory of 2776	1696	rundll32.exe	f762f4a.exe
PID 768 wrote to memory of 1288	768	f7613cf.exe	taskhost.exe
PID 768 wrote to memory of 1352	768	f7613cf.exe	Dwm.exe
PID 768 wrote to memory of 1380	768	f7613cf.exe	Explorer.EXE
PID 768 wrote to memory of 2684	768	f7613cf.exe	f7615a3.exe
PID 768 wrote to memory of 2684	768	f7613cf.exe	f7615a3.exe
PID 768 wrote to memory of 2776	768	f7613cf.exe	f762f4a.exe
PID 768 wrote to memory of 2776	768	f7613cf.exe	f762f4a.exe
PID 2776 wrote to memory of 1288	2776	f762f4a.exe	taskhost.exe
PID 2776 wrote to memory of 1352	2776	f762f4a.exe	Dwm.exe
PID 2776 wrote to memory of 1380	2776	f762f4a.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7613cf.exef762f4a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7613cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762f4a.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1288

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\049d6dd08066d6211bcd8e00da13b1ca0da714c7b87be0f57c7063a9c8fd8a07_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\049d6dd08066d6211bcd8e00da13b1ca0da714c7b87be0f57c7063a9c8fd8a07_NeikiAnalytics.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\f7613cf.exe
C:\Users\Admin\AppData\Local\Temp\f7613cf.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:768

C:\Users\Admin\AppData\Local\Temp\f7615a3.exe
C:\Users\Admin\AppData\Local\Temp\f7615a3.exe
4⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\f762f4a.exe
C:\Users\Admin\AppData\Local\Temp\f762f4a.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2208

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
257B

MD5
422a05f74d2e60919f967136aeeed34f

SHA1
34030a2e42caf4433e23d1b0b980a478a2304b50

SHA256
fd19ac46ff1a39fe9466a67c3533ea17def37975e8d9b74b93583e0abb8c5088

SHA512
0ef4fdb1dc0b5d602d36fb9ba2d3186e0739b685e97edc364a0fbea9c6c6d87655df9ee57ca8a80304686dc04af89c1fb1f41a8541870cf3ad4977771305e4a0

Download Submit
\Users\Admin\AppData\Local\Temp\f7613cf.exe
Filesize
97KB

MD5
698141a3012e5f0ff590938d6678b443

SHA1
bff98b84f0e2916e6362012ec80a86ed7df09892

SHA256
cc49f1b74348ef5b3c19ea161da5980ddb971f1eaeb8007b6d6691f4491d6edf

SHA512
0dbf48c941b2563fa198846cf6300c63739b10bbcf8fbce42163e0c6f013bfc06eb258ee5ca69105675ff80c277b4ab7e45a1eeaf09105016e19c7c744225be4

Download Submit
memory/768-105-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-99-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-12-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-14-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-21-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-19-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-18-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-15-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-143-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-119-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/768-106-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-77-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-20-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-101-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-100-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-78-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-46-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/768-22-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-17-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-16-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-59-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-60-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-61-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/768-48-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/768-98-0x00000000006C0000-0x000000000177A000-memory.dmp

Filesize
16.7MB

Download
memory/1288-28-0x00000000020F0000-0x00000000020F2000-memory.dmp

Filesize
8KB

Download
memory/1696-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1696-36-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1696-71-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/1696-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1696-57-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1696-35-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1696-70-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/1696-10-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/1696-9-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/1696-45-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1696-74-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/1696-7-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2684-88-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2684-96-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2684-147-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2684-87-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2684-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2776-93-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2776-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2776-97-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2776-95-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2776-164-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2776-198-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2776-197-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads